From d7f2c8853d019344ff58ea2663641f354927d976 Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang.m@gmail.com>
Date: Thu, 28 Sep 2017 23:46:35 -0700
Subject: [PATCH] kubelet tls bootstrapping: fix role names

---
 docs/admin/kubelet-tls-bootstrapping.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/admin/kubelet-tls-bootstrapping.md b/docs/admin/kubelet-tls-bootstrapping.md
index 0d553828ecbbd..da2b187dff205 100644
--- a/docs/admin/kubelet-tls-bootstrapping.md
+++ b/docs/admin/kubelet-tls-bootstrapping.md
@@ -133,9 +133,9 @@ rules:
 As of 1.8, equivalent roles to the ones listed above are automatically created as part of the default RBAC roles.
 For 1.8 clusters admins are recommended to bind tokens to the following roles instead of creating their own:
 
-* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:nodeclient`
+* `system:certificates.k8s.io:certificatesigningrequests:nodeclient`
     - Automatically approve CSRs for client certs bound to this role.
-* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:selfnodeclient`
+* `system:certificates.k8s.io:certificatesigningrequests:selfnodeclient`
     - Automatically approve CSRs when a client bound to its role renews its own certificate.
 
 These powers can be granted to credentials, such as bootstrapping tokens. For example, to replicate the behavior